Google Chrome Silent HTTP Authentication

EDB-ID: 24486

CVE: N/A

OSVDB-ID: N/A

Author: T355

Published: 2013-02-11

Verified:

Exploit Code:

Vulnerable App: N/A

Rating

Overall:
(0.0)

# Exploit Title: [Google Chrome Silent HTTP Authentication]
# Date: [2-5-2013]
# Exploit Author: [T355]
# Vendor Homepage: [http://www.google.com/chrome]
# Version: [24.0.1312.57]
# Tested on: [Tested on: Windows 7 & Mac OSX Mountain Lion]
# CVE : [n/a]
VULNERABILITY DETAILS
The latest version of Google Chrome (Tested on Version 24.0.1312.57)
fails to properly recognize HTTP Basic Authentication when injected in
various HTML tags. As a result of this behavior Chrome will not alert
the user when HTTP Basic Authentication is taking place or when
credentials are rejected. This behavior is particularly concerning
with respect to small office and home routers. Such devices are easily
brute forced using this method. Many of these devices have the default
password enabled which brings me to part II of this bug. Silent HTTP
Authentication allows the attacker to log into the router and change
settings with no alerts and or warnings issued by Chrome. The end
result allows an attacker to brute force the router login, connect to
the router, enable remote administration and of course control all
information on the entire network via DNS attacks etc.
REPRODUCTION CASE
I have attached the following files:
sploit.txt - Indicates the buggy code.
jquery.js - Used for real world scenario but not needed for bug.
brute.js - Real world attack scenario for this bug.
index.html - HTML Attack Page
attack.php - Payload file for Linksys Routers.
VERSION
Chrome Version: [24.0.1312.57]
Operating System: [Tested on: Windows 7 & Mac OSX Mountain Lion]
CREDIT
T355
IMPACT
The impact for this bug is enormous. Tens of millions of home routers
can easily be completely compromised. Distributed brute force attacks
can be performed on any HTTP Authentication portal.
RECOMMENDATIONS
Reference how Firefox and Safari handle the attached code.
PoC: http://www.exploit-db.com/sploits/24486.tar.gz